How to disable Windows "Magic Bytes" behavior?

Is there any way to disable Windows "Magic Bytes" behavior?
A registry tweak, utility, or patch?

Not something that merely masks the behavior or its effects, like say running a limited user account that would limit the amount of damage that an exploit would cause.
Something that actually stops the behavior from occurring in the first place.

Is this a real security issue? Do you perhaps have more info on how malware might use this tech, I never really thought about it.

Click to expand...

Hi Rasheed187,

Yes, and here's why.
The "Magic Bytes" behavior appears to boil down to this: For at least some file types, Windows XP will process the file based on its content instead of its extension. This unecessary behavior allows exploitive malware to hide masked as another file type. It is not the "Magic Bytes" that are the problem. Anti-Virus often use them as part of the malware identification process.
It is what Windows XP does with the "Magic Bytes" (the behavior) that allows a file's extension to be completely bypassed. It also allows malware exploits to have more impact and linger more than they should.
This has occurred during the WMF Exploit last December and it surely will be used again. It's a handy way for malware authors to extend the life of their exploits that MS has given them.

I don't want this type of behavior on my computer and I want it disabled.
It is basically no different than someone wanting to disable a potentially vulnerable service in Windows XP. This behavior exists somewhere in the OS, maybe a dll or two, the registry, or a service, but it's there.

Just as hueristics have been used with great success to detect new malware based on behaviors, maybe we should start looking at the underlying behaviors of the OS and software that allow malware to exist in the first place. Instead of just patching over the symptoms, we should be curing the real problems.

And what about the "Open files based on content, not file extension" setting in IE´s security options, has this setting anything to do with the "Magic Bytes" behaviour? I still don´t know if it´s best to enable or disable this setting. But it might have nothing to do with your problem, see the part about "MIME Handling Enforcement".

"MIME Handling Enforcement" appears to be related or similar, but how, I don't have a clue.
I still can't figure out how to make the LMZ icon appear in the internet properties security tab as shown in the article. In order to look at the settings in the LMZ, it needs to be unlocked. And how to lock LMZ again?

Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.

Click to expand...

2. If these are different, where is the "Magic Bytes" behavior controlled from?

3. During the WMF Exploit early this year, would disabling "Open files based on content, not file extension" in the LMZ prevent a renamed .wmf exploit file (renamed to .jpg) from executing within windows explorer?

4. By doing this (in all the zones), would it help to prevent similar future exploits from hiding as other file types? One could then simply filter out the vulnerable file type until the exploit is patched.